i have just got a log from a machine that i am running testing on at a customer, he says that the machine is infected and it has disabled McAfee Enterprise 8.7. Please see attached logs. The machine is communicating heavily via the web, 5 Gig in 1 day. Help if you can. I can see the autorun.inf file on the D$ is a infection, but the machine is off the network now.
In offline mode - the number of files reported will be greater - since GetSusp cannot connect to our online whitelist database using Artemis. Would it be possible to run GetSusp in online mode on the affected machine just for the during of the scan?
Also, could you post the gsusp.zip file that gets created? It contains xml meta data and is the one we review. The scan log won't have all the details.